SeattleServer.com wrote: > On Sunday 29 October 2006 05:36, Vitaly A Zakharov wrote: >> Try to use a well-known construction, just above virus checking in Exim >> configuration: >> >> acl_check_mime: >> >> warn decode = default >> drop message = Blacklisted file extension detected. >> condition = ${if >> match{${lc:$mime_filename}}{\N(\.cpl|\.pif|\.bat|\.scr|\.lnk|\.com|\.hta)$\ >> N}{1}{0}} >> >> accept >> >> You would be surprised, the volume of viruses will decrease about a half. > > You would be surprised, the number of users who complain because these > extensions (especially .lnk and .scr) are blocked. > > In fact it was such a common problem among our (mostly non-IT) users, that we > ended up defaulting to NOT blocking executable extensions, though it can be > turned on per-domain. > > I don't really like blocking simply on extension anyways - I ran into it > myself when trying to E-mail an HTML file without an extension (it was named > simply somedomain.com). > > Cheers,
We have two such rules - both with far more extensive lists, as we cover mostly Mac and other 'non-MS' platforms. Both add 'points' and user prefs do modification to 'Subject:' and quarantining. - But the 'surprise' here is that they almost never triggered until recently. Client branch offices that need to send photos and such are whitelisted and/or trained to alter the file extent or encapsulate, and the villainous *were* being stopped before they got as far as that. That said, the recent rise in otherwise innocuous body with text-bearing graphic attached says we need a server-global tightening up on a *combination* of any-graphic + [stranger AND/OR rudebugger]. - Where 'stranger' is anyone we have never sent 'TO:', and 'rudebugger' is weighted scores for failure on rDNS, HELO, dynamic-IP, RBL, header format ....... etc. If we have to get into the insanity of CPU cycles needed for OCR inspection of graphics, I'd call that a dead loss, strip the dodgy attachments, and point the user community back to their fax machines (color, for the most part) or FedEx. :-( Bill -- ## List details at http://www.exim.org/mailman/listinfo/exim-users ## Exim details at http://www.exim.org/ ## Please use the Wiki with this list - http://www.exim.org/eximwiki/